I know, I know… as some of us wipe the collective egg off our faces for not delivering on some early promises (did we promise things?) of aaOpenSource. The fact of the matter is that we are all crazy busy and doing work for free just didn’t bubble up to the top for any of us.
Well I’m here to change that, in a very small way. This past weekend I worked on a total rewrite of my LDAP authentication engine. One of the items I was never crazy about was how long a password hung around in the UDA’s in clear text before getting cleared out. So I did something about it.
Using some code I had laying around from another project (aaBackup) I re-purposed some of it and rolled a dll to implement AES encryption. Before you jump me and say hey Andy, you don’t know nuthin’ ‘bout that thar encryption..you are correct. I spent a long time looking high and low for some of the best implementations I could find, with lots of positive reviews. The most important thing, however, was that it had to be easy to use. I think this fits the bill.
The pseudocode goes something like this.
1) Create some kind of random string
2) Instantiate the aaEncryption object, feeding it the random string as a seed value
3) Call the .EncryptString function to take a string and create an encrypted version of it
4) Call the .DecryptToString to take the encrypted value and decrypt it.
That’s it. Very Simple, very straightforward.
So, how do you the local junior archestranauts fit in? In the spirit of open source I want to share both the C# code for the DLL as well as my example Archestra objects for testing it out.
What do I want you to do with it? Beat on it, tear it to shreds, recommend better ways to do things.. all the while keeping in mind this thing needs to stay dirt simple. So what are some of my ideas on things to make better?
1) Have the DLL automatically add itself to the app domain when you instantiate it. Right now I have an initialization routine that creates the object and stashes it in the app domain.
2) Clean up some dead code. You will see some code that used a bunch of calls to create a unique fingerprint of the PC it was running on. This was cool but it failed in two areas. First, it used the same data to create encryption keys for two encryption instances running on different engines, but the same host. I didn’t like this. Second, it was really slow. On average it took about 2 seconds to initialize, which I didn’t like.
3) Create a routine in the DLL to generate a new random seed if no seed is passed
4) Remove, or make private, some of the extra calls that we won’t use in our implementation… keep it simple
5) Find the limits on the System Platform side. I have my SP2014 engine a number of times trying to enter really long strings to see if I could successfully encrypt then decrypt. I should probably drop back to this testing in C# but I was feeling on the lazy side.
6) Write some good unit tests. Maybe my hard core software friends could handle this part for us. All I know how to do is throw together a little windows form to poke some values and push some buttons.
7) I thought about performance tests but this thing is really really fast, typically less than 5ms to encrypt, so I’m not sure it is necessary. I think we’ll find the limits on SP2014 strings before speed ever becomes an issue.. unless you are doing a large array.
8) Help me think about the architecture for initializing the encryption engine then sticking it in the AppDomain.. is this the best method. Should I have one instance per engine or should I have one per object to be really really really secure.
9) And the biggy, generally poke some holes in the concept and structure. As you have already guessed I am not a security expert so I may have some gaping holes that others can identify. Let’s make this thing better.
For now I’ll just post the aaslib, the aapkg, and the DLL source code. I’ll chat with some of the other aaOpenSource co-conspirators to figure out how to get this hosted on a nice Git repository or something that real software developers use.
AAPKG File - Example
DLL Code - Code
aaSlib File - aasLib
Take care and …. what does the fox say?
your loyal Archestranaut